Matteo Marini, Sapienza University of Rome; Floris Gorter, Vrije Universiteit Amsterdam; Daniele Cono D'Elia, Sapienza University of Rome; Cristiano Giuffrida, Vrije Universiteit Amsterdam
Modern C/C++ bug detection efforts heavily rely on fuzzing with software sanitizers. However, the most popular sanitizers have limited interoperability. As a result, developers often enable each sanitizer in isolation, if at all, requiring multiple runs. This sequential execution undermines performance and tests code in a non-uniform manner.
In this paper, we present CombiSan, a fuzzing-optimized sanitizer that simultaneously detects all the addressability, uninitialized memory, and other undefined behavior issues covered by the three most popular sanitizers: ASan, MSan, and UBSan. CombiSan features a unified shadow memory design that efficiently tracks both the addressability and the initialization state of every byte of program memory. In addition, CombiSan's instrumentation seamlessly integrates with state-of-the-art detection of other undefined behavior classes. As bugs found by different sanitizers may mask each other by terminating execution early, CombiSan defers its analysis of all aggregated issues to test case completion.
In our evaluation, CombiSan detected 81 new bugs in 10 programs tested daily by OSS-Fuzz. On average, fuzzing with CombiSan is 1.7x faster than sequentially testing with ASan+UBSan and MSan. Moreover, our results demonstrate that CombiSan has the same bug detection accuracy as these sanitizers, despite running for significantly fewer CPU hours.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
